VZCZCXRO7255
OO RUEHDBU RUEHFL RUEHKW RUEHLA RUEHROV
DE RUEHTL #0375/01 1571424
ZNY SSSSS ZZH
O 061424Z JUN 07
FM AMEMBASSY TALLINN
TO RUEHC/SECSTATE WASHDC IMMEDIATE 9902
INFO RUEHZL/EUROPEAN POLITICAL COLLECTIVE IMMEDIATE
RUEHMO/AMEMBASSY MOSCOW IMMEDIATE 2522
RUEATRS/DEPT OF TREASURY WASHDC IMMEDIATE
RHEFDIA/DIA WASHDC IMMEDIATE
RUCNFB/FBI WASHDC IMMEDIATE
RHMFISS/DEPT OF HOMELAND SECURITY WASHINGTON DC IMMEDIATE
RHMFISS/HQ USEUCOM VAIHINGEN GE IMMEDIATE
RUEKJCS/JOINT STAFF WASHDC IMMEDIATE
RHEHNSC/NSC WASHDC IMMEDIATE
RUEKJCS/SECDEF WASHDC IMMEDIATE
RUEHBS/USEU BRUSSELS IMMEDIATE
RUEHNO/USMISSION USNATO IMMEDIATE 1204
RHEHAAA/WHITE HOUSE WASHDC IMMEDIATE

S E C R E T SECTION 01 OF 04 TALLINN 000375 


SIPDIS 

DEPT FOR EUR/NB 

E.O. 12958: DECL: 06/06/2017 
TAGS: PREL PGOV ECON ETRD NATO RS EN
SUBJECT: ESTONIA'S CYBER ATTACKS: LESSONS LEARNED 

REF: A) TALLINN 366 B) LEE-GOLDSTEIN EMAIL 05/11/07 
B) TALLINN 347 

Classified By: Charge d'Affaires Jeff Goldstein for reasons 1.4 (b) & ( 
d) 

¶1. (S) Summary. On April 27, Estonia became the 
unprecedented victim of the world's first cyber attacks 
against a nation state. Although an analysis of events is 
ongoing, this event demonstrated the vulnerability of both 
government and private sector internet infrastructure. 
Working together with Estonian cyber security experts, the 
Ministry of Defense (MOD) is preparing a report analyzing 
the crisis, evaluating the strengths and weaknesses of the 
Estonian response, and recommend changes to Estonia's cyber 
defenses and security. The GOE and Estonian cyber defense 
experts all agree that while they successfully responded to 
these attacks, they will need to improve Estonia's defenses 
to prevent what they described as the nightmare scenario: a 
shutdown of Estonia's internet infrastructure as a result 
of more serious attacks at some point in the future. End 
Summary. 


The Nature of the Attacks 
------------------------- 

¶2. (SBU) Starting on April 27, Estonia became the world's 
first victim of cyber attacks against a nation state's 
political and economic infrastructure. For over a month, 
government, banking, media, and other Estonian websites, 
servers, and routers came under a barrage of ever-shifting 
and coordinated cyber attacks that tried to shut down 
specific strategic targets (Ref A). Unlike traditional 
cyber attacks which try to "hack" into a system, the 
attacks against Estonian sites used the basic architecture 
of the internet to disrupt their operation. At Post's 
request XXXXXXXXXXXX visited Tallinn to assess the
situationApril 16-18.  XXXXXXXXXXXX opined that it is
not technically feasible to  prevent attacks of this nature,
no matter how sophisticated  a country's cyber-defenses are.
However, due to Estonia's  rapid response, the attacks did
not seriously threaten  Estonia's cyber network and infrastructure. 

¶3. (C) The cyber attacks exposed the strengths and 
weaknesses of Estonia's cyber defense system. XXXXXXXXXXXX
 told us that the Ministry of Defense is  preparing a report to
submit to the GOE by the end of June.  Based on our discussions
with GOE, CERT, and private  Estonian cyber security experts,
it is clear that the Estonians are working furiously to analyze
where their cyber defenses and protocols worked, failed, and/or
need  improvement. Although these cyber attacks were 
unprecedented in nature, our Estonian interlocutors all 
agreed that the outcome could have been much worse. They 
also note that the MOD's report notwithstanding, the impact 
on cyber defense policy for both the public and private 
sectors will be discussed and felt for a very long time. 
The following is a summary of GOE "lessons learned" from 
these attacks. 

Lessons Learned: What Worked 
---------------------------- 

¶4. (SBU) STRENGTH IN BEING SMALL. With a population of 1.3 
million people, Estonia's small size was its strongest 
asset in reacting rapidly to the cyber attacks. Estonia's 
CERT, the GOE's Cyber Defense Unit, and private IT Security 
Managers all knew each other for years before the crisis 
and were, thus, able to work closely together. Information 
sharing and decision making were rapid and flexible. 
Everything was handled - from the working level to the 
leadership - in an almost seamless fashion throughout the 
attacks. "We're talking about a group of ten key people in 
the government and private sector who've known each other 
for years, trust one another, and all have direct access to 

TALLINN 00000375 002 OF 004 


each other" XXXXXXXXXXXX,  commented to us.
"Therefore, there was no inter-agency  bureaucracy or
red tape to cut through." 

¶5. (C) E-VOTING. In March 2007, Estonia held the world's 
first national election where e-voting was used. From the 
outset of the crisis, the e-voting security team was 
immediately seconded to CERT and became a vital asset in 
responding to the attacks. Although Estonia's CERT has 
only two full time staff, XXXXXXXXXXXX said he was able
to call  upon a roster of 200 programmers and security
experts from  the e-voting security team to ensure a 24/7 response 
mechanism against incoming cyber attacks. As the e-voting 
team was already at work on next generation security 
measures (in anticipation for Estonia's 2009 local 
elections), there was no need for them to "catch up" 
according to XXXXXXXXXXXX. These experts were invaluable
in  addressing the wide variety of attacks (e.g., bots, spam, 
DDoS, Trojan Horses, etc.). 

¶6. (C) INFORMATION GATHERING. Our MOD interlocutors credit 
Estonian law enforcement and cyber security experts' 
(public and private) close monitoring of Russian-language 
internet forums as key to CERT's ability to rapidly respond 
to the attacks. On April 28, less than 24 hours after the 
first cyber attacks, Russian-language internet forums 
(e.g., http://2ch.ru and http://forum.xaker.ru) were 
exhorting people to attack specific GOE websites and 
offering links to software tools. Patient monitoring of 
these internet-forums led to intelligence on targets, 
dates, and exact times for coordinated attacks.
XXXXXXXXXXXX told us  privately that without this
 information, the cyber attacks  against GOE sites could hav
 inflicted far more damage than  they did. 

¶7. (C) SECURE ONLINE BANKING. Hansabank and SEB 
successfully weathered the cyber attacks against them 
because of defensive measures and procedures already in 
place. According to CERT, the banks' procedures are in 
many ways superior to the GOE's. XXXXXXXXXXXX
 said that due to  the longstanding problem of cyber crime
in the region -  often with banks as prime targets - the banks
were well  prepared for the attacks. For example,
XXXXXXXXXXXX  told us,  organized gangs have
employed bot attacks in the past. As  a result, Hansabank
 had the necessary cyber security  measures in place to defend 
against this type of attack. 
In the end, Hansabank-s sites successfully repelled every 
attack and were able to provide their Estonian customers 
access to their online accounts. (Note. Almost 90% of all 
financial transactions (e.g., bill payments) are done 
online. Hansabank and SEB alone handle over three-fourths 
of that traffic. End Note.) 

Lessons Learned: What Failed 
---------------------------- 

¶8. (S) FORMAL PROCEDURES. XXXXXXXXXXXX told us
he  believes that Estonia-s formal and institutional procedures 
for responding to cyber attacks failed completely. 
Throughout the crisis, ad hoc meetings and decision making 
based on established informal contacts and relationships 
were used to disseminate information - instead of 
formalized institutional channels with clear communication 
chains. Additionally, XXXXXXXXXXXX told us that the GOE
did  not keep an official record or log of decisions and actions 
taken during the crisis. Consequently, it is uncertain how 
thorough the GOE's post-crisis assessment or efforts to 
improve Estonia's formal cyber defense procedures will be. 
XXXXXXXXXXXX explained that neither CERT nor the GOE
had the  personnel to "put out the fire and also act as a secretary 
to take down the minutes." (Note: XXXXXXXXXXXX claims
of  staff shortages are somewhat questionable given that he 
told us that neither he nor any of his staff had to work 
over-time during the cyber attacks. End Note.) 

¶9. (S) LACK OF CENTRALIZED GOE POLICY. MOD interlocutors 
admitted that there was no consistent GOE policy across 

TALLINN 00000375 003 OF 004 

ministries on cyber security, broadband capacity, and 
information sharing. For example, some ministries use 
static websites while others use more vulnerable dynamic 
websites. Ministries also use different internet providers 
which have different security procedures in place. This 
unnecessary complexity made initial information sharing 
between ministries more cumbersome and confusing, 
especially for ministries with fewer resources for IT risk 
management (e.g., the Ministry of Population, Ministry of 
Education, Ministry of Culture, etc.). XXXXXXXXXXXX,
told us that creating a  consistent policy for the various ministries 
will be a key  recommendation in the MOD's report. 

¶10. (S) MONITORING. The cyber attacks also exposed 
Estonia's total lack of a comprehensive monitoring system. 
Estonia does not have a national IP (internet protocol) 
network of sensors to precisely monitor traffic for cyber 
attacks. As a result, the GOE and CERT did not have any 
hard data on the number of computers and/or servers that 
were used in the attacks. XXXXXXXXXXXX, Estonia's main telecommunication and IT  provider, told us that his company
relies on U.S.-based  Arbor Networks to monitor its network.
Our MOD and private sector interlocutors all agreed on how
important it was for  Estonia to have its own monitoring network,
but they could  not confirm on the likelihood that the GOE
would invest in  this infrastructure upgrade. 

¶11. (S) WHACK-A-MOLE. In the initial stages of the cyber 
attacks, the Estonian method of response was to block each 
and every attack through its corresponding ISP address as 
it happened. XXXXXXXXXXXX dubbed this the "whack-a- 
mole" response and opined that prior to April 27 this 
approach might have been sufficient. However, the sheer 
volume of the recent cyber attacks quickly overwhelmed the 
Estonian defenses. CERT, Elion, and the GOE's Cyber Defense 
Unit were eventually forced to apply broader and more 
stringent filtering mechanisms on all internet traffic to 
prevent the attacks from entering Estonia. XXXXXXXXXXXX
observed that unlike the United States and many European 
Union members who routinely filter foreign internet 
traffic, prior to the recent attacks, the Estonian network 
filtered very little foreign traffic. 

¶12. (S) INDUSTRY VULNERABILITY. While Hansabank and SEB 
successfully weathered the cyber attacks, many other 
smaller private Estonian sites that were attacked were 
overwhelmed. With no industry standard or best practice in 
place in Estonia, many smaller businesses and/or private 
organizations (e.g., schools, NGOs, etc.) did not have the 
technical expertise or financial means to ramp up their 
broadband capacity. XXXXXXXXXXXX claimed that CERT's
log of  complaints and reported cyber attacks since April 27 is 
over 10 Tb (Tera bits). (Note. One TB is equal to one 
million Mega bits. To put this in perspective, the entire 
content of the online U.S. Library of Congress uses less 
than 10 TB. End Note.) As the majority of Estonian (SME) 
small and medium size enterprises employ online services as 
part of their daily business, the GOE is now aware that an 
industry standard with readily available cyber defensive 
software, tools, training, and public awareness-raising 
must become a part of Estonia's cyber defenses. 

Lessons Learned: Nightmare Scenarios 
------------------------------------ 

¶13. (S) TARGETING KEY ROUTERS AND SITES. Our Estonian 
interlocutors all agreed that even during the attacks' 
peak, Estonia's cyber network was not in any serious danger 
of being shut down. In some ways, Estonia was lucky. Rein 
Ottis, MOD Cyber Defense Chief, noted that had the attacks 
specifically targeted Estonia's key servers and routers, 
they could have shut down Estonia's entire cyber 
infrastructure. On May 4, two routers belonging to the GOE 
and Elion were attacked with an unknown data packet that 
crashed the routers almost immediately. XXXXXXXXXXXX
told us that if enough key  routers and/or servers were shut down, 
it would be the internet "equivalent of blowing up key roads and

TALLINN 00000375 004 OF 004 

intersections in the city Tallinn to bring all traffic to a  halt." 

¶14. (S) UNANNOUNCED AND BETTER TIMED ATTACKS. Most of the 
cyber attacks were discussed in advance on Russian-language 
internet forums, giving the Estonians the opportunity to 
ramp up broadband capacity in advance. XXXXXXXXXXXX
 told us that  the perpetrators gave away the element of surprise 
and  often timed their attacks in the evening (when Estonia's 
internet usage is at its lowest). Had they not made these 
mistakes, XXXXXXXXXXXX opined that the attacks could
 have shut  down their GOE targets for up to a week.
XXXXXXXXXXXX  was  thankful that they had advance
information about th  May 15  attacks against Hansabank and 
SEB. However, many  of the  attacks which employed bots
were unannounced and far more challenging, and in some
cases did crash their targets. If  all attacks had been like this,
XXXXXXXXXXXX and XXXXXXXXXXXX could  not
confidently predict whether Estonia's defenses would 
have held. 

¶15. (S) 2ND TIER STRATEGIC ATTACKS. Estonia's banks were 
generally well prepared for cyber attacks. However, the 
economic impact could have been worse if the attacks had 
focused on 2nd tier strategic targets which possessed less 
formidable defenses (Ref B). XXXXXXXXXXXX speculated
the  fallout would have been far more significant if Estonia's 
logistic-transport companies had been attacked. "As over 
three-fourths of all grocery stores, petrol stations, and 
shops rely on the internet for their orders and 
deliveries," asked XXXXXXXXXXXX, "can you imagine the
damage  this would bring? Cyber crime seems abstract to most 
people. There's nothing abstract about empty shelves in 
stores." XXXXXXXXXXXX also listed a whole range of
other strategic services and businesses that would have been far 
easier to crash than the banks. The MOD felt that 
XXXXXXXXXXXX descriptions were far fetched, bordering
on  "science fiction." However, when we mentioned
XXXXXXXXXXXX's  comments to XXXXXXXXXXXX
 he felt that recent events have changed  the parameters
of the debate on possible threat scenarios.  He said, 
"Last year, I would've considered a cyber war  against my
 country as science fiction, too - but not  anymore." 

GOLDSTEIN